Options for Cyrus SASL

This document contains information on what options are used by the
Cyrus SASL library and bundled mechanisms. The most commonly used
options (and those that are therefore most commonly misunderstood
are pwcheck_method and auxprop_plugin. Please ensure
that you have configured these correctly if things don't seem to
be working right. Additionally, mech_list can be an easy
way to limit what mechanisms a given application will use.

Option

Used By

Description

Default

authdaemond_path

SASL Library

Path to Courier-IMAP authdaemond's unix socket.
Only applicable when pwcheck_method is set to authdaemond.

/dev/null

auto_transition

SASL Library

When set to 'yes' or 'noplain',
and when using an auxprop plugin, automatically transition
users to other mechs when they do a successful plaintext
authentication. When set to 'noplain', only non-plaintext secrets
will be written. Note that the only mechs (as currently
implemented) which don't use plaintext secrets are
OTP and SRP.

no

auxprop_plugin

Auxiliary Property Plugin

Name of auxiliary plugin to use, you may specify a space-separated
list of plugin names, and the plugins will be queried in order

(null) - querys all plugins

canon_user_plugin

SASL Library

Name of canon_user plugin to use

INTERNAL

keytab

GSSAPI

Location of keytab
file

/etc/krb5.keytab (system dependant)

ldapdb_uri

LDAPDB plugin

ldap server uri, you can specify a space-separated list of URIs -
ldapi:// or ldaps://ldap1/ ldaps://ldap2/

none

ldapdb_id

LDAPDB plugin

ldap SASL authentication id

none

ldapdb_mech

LDAPDB plugin

ldap SASL mechanism for authentication

none

ldapdb_pw

LDAPDB plugin

ldap password for SASL authentication id

none

ldapdb_rc

LDAPDB plugin

The filename specified here will be put into the server's LDAPRC
environment variable, and libldap-specific config options may be set
in that ldaprc file. The main purpose behind this option is to allow
a client TLS certificate to be configured, so that SASL/EXTERNAL may
be used between the SASL server and the LDAP server. This is the most
optimal way to use this plugin when the servers are on separate machines.

none

ldapdb_starttls

LDAPDB plugin

Use StartTLS. This option may be set to 'try' or 'demand'.
When set to "try" any failure in StartTLS is ignored.
When set to "demand" then any failure aborts the connection.

Notes on SQL auxprop options

The sql_insert and sql_update options are
optional and are only needed if you wish to allow the SASL library
(e.g., saslpasswd2) and plugins (e.g., OTP) to write properties to the
SQL server. If used, both statements MUST be provided so that
properties can be added, changed and deleted.
NOTE: The columns for writable properites MUST accept NULL values.

The SQL statements provided in the sql_select,
sql_insert and sql_update options can contain
arguments which will be substituted with the appropriate values. The
valid arguments are:

%u

Username whose properties are being fetched/stored.

%p

Name of the property being fetched/stored. This could
technically be anything, but SASL authentication will try
userPassword and cmusaslsecretMECHNAME (where MECHNAME is the
name of a SASL mechanism).

%r

Realm to which the user belongs. This could be the
kerberos realm, the FQDN of the computer the SASL application is
running on or whatever is after the @ on a username. (read the
realm documentation).

%v

Value of the property being stored (INSERT or
UPDATE only!). This could technically be anything depending on
the property itself, but is generally a userPassword.

NOTE: DO NOT put quotes around the entire SQL
statement, but each individual %u, %r and %v argument MUST be
quoted.

Notes on LDAPDB auxprop options

Unlike other LDAP-enabled plugins for other services that are common
on the web, this plugin does not require you to configure DN search
patterns to map usernames to LDAP DNs. This plugin requires SASL name
mapping to be configured on the target slapd. This approach keeps the
LDAP-specific configuration details in one place, the slapd.conf, and
makes the configuration of remote services much simpler.

This plugin is not for use with slapd itself. When OpenLDAP is
built with SASL support, slapd uses its own internal auxprop module.
By default, without configuring anything else, slapd will fail to load
the ldapdb module when it's present. This is as it should be. If you
don't like the "auxpropfunc: error -7" message that is sent to syslog
by slapd, you can stop it by creating /usr/lib/sasl2/slapd.conf with:

auxprop_plugin: slapd

which will force the SASL library to ignore all other auxprop modules.

Examples:

The LDAP server must be configured to map the SASL authcId "root" into a DN
that has proxy authorization privileges to every account that is allowed to
login to this server. (See the OpenLDAP Admin Guide section 10 for
details.)

ldapdb_uri: ldapi://
ldapdb_mech: EXTERNAL

This configuration assumes an LDAP server is on the same server that is
using SASL and the underlying OS is *NIX based (ldapi:// requires UNIX domain
sockets). This is fast and secure, and needs no username or password to be
stored. The slapd.conf will need to map these usernames to LDAP DNs: